3.5.5 — Don't Recycle Usernames
What It Says
Section titled “What It Says”Prevent reuse of identifiers for a defined period.
What It Actually Means
Section titled “What It Actually Means”When someone leaves, their username shouldn’t be given to a new hire immediately. Two reasons:
- Audit trail confusion. Log entries for “jsmith” now refer to two different people depending on the date. An investigation becomes ambiguous.
- Inherited access. If the old jsmith’s permissions weren’t fully revoked, the new jsmith might inherit access they shouldn’t have.
Define the retention period in your access control policy — 90 days is the common standard. The assessor will ask what your policy states and verify it’s enforced.
This also applies to service accounts. Don’t repurpose an old service account for a new function — create a new one with a new identifier.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is a defined period for identifier reuse established? | Policy states identifiers aren’t reused for 90 days (or your defined period) |
| 2 | Is identifier reuse prevented for that period? | The system enforces the retention — disabled accounts kept in AD for the defined period |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Identification and authentication policy; procedures addressing identifier management; system security plan; system configuration settings
People they’ll talk to: Personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators
Live demos they’ll ask for: Mechanisms supporting or implementing identifier management
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “What is your defined period for identifier reuse?”
- “Show me it’s documented in your policy.”
- “Can you show me that disabled accounts are retained for the defined period?”
- “Has any username been reused within the retention period? How would you know?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Immediate reuse. New hire on Monday gets the username of someone who left Friday. 90-day retention prevents this.
Accounts deleted instead of disabled. If you delete the account, you lose the audit trail. Disable and retain for the defined period.
No defined period in policy. You don’t reuse usernames in practice but there’s no documented policy. The assessor needs a written number.
Service account reuse. Old service account repurposed for new function without changing the identifier. Create a new one.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.5.1 — Prove Who You Are | Establishes unique identifiers this control protects from premature reuse |
| 3.3.2 — Trace Every Action | Identifier reuse undermines the ability to trace actions to individuals |
| 3.9.2 — Revoke on Departure | The offboarding process that disables (not deletes) identifiers |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: IA.L2-3.5.5 | SPRS Weight: 1 point | POA&M Eligible: Yes